Top Secret Warfare and the Law

There are now three armies in America: the regular volunteer force, the secret volunteer force -- the folks at the Joint Special Operations Command -- and the paramilitaries and contractors used by the CIA. Three armies, a welter of conflicting laws, domains and territories. The scariest part of the Ellen Nakashima's story on Friday on how Air Force cyber warriors dismantled a joint CIA-Saudi honey pot website is what it reveals about oversight, priorities and law -- particularly in the realm of cyberspace. Three armies doing battle against an enemy, and institutionally, against each other.

I've spoken with two individuals familiar with the operation, and they declined to talk about it, for fear of losing their security clearances. But in the opaque way that governs these types of communications, both seemed to worry about accountability. The article claims that the CIA and Saudi Arabia created a jihadi website; it became useful, helping the Saudis and the CIA collect intelligence on a range of matters. The honey pot had drawn in the bees. But the military feared, and apparently had solid evidence, that some jihadis had used the site to plot attacks against American soldiers. A task force was formed; the NSA wanted to shut the site down; the CIA wanted to keep the site open. Equities were involved: the CIA worried about the loss of intelligence and the upsetting of its fragile but productive relationship with Saudi Arabia, and the Defense Department worried about the safety of troops. It's not clear who made the decision to shut down the site, but NSA director Keith Alexander, putting on his hat as the nation's chief cyber warrior, ordered one of the government's numerous offensive cyberattackers to shut it down. (Why couldn't the CIA simply have switched off the site? Unclear.) Other sites were knocked offline in the process, thereby violating the sovereignty of a number of countries and probably violating international law.

The CIA's decision to set up the site in the first place wasn't controversial, but maybe it should have been: the Director of National Intelligence and the CIA director have battled ever since the intelligence reforms of 2004 over who controls covert action. Can the CIA undertake an "op" without oversight or informing the DNI? Does the National Security Council itself, rather than the DNI, play the role in intelligence and operational tasking? The law -- and subsequent executive orders -- seem to be clear on this -- the DNI decides the intelligence strategy, and gets to decide whether covert operations fit in with the strategy before they go to the president for approval.

There are gray areas here, and in the realm of cyber law, there are large gaps. The case of Michael Furlong, the former senior Defense Department official who allegedly ran his own intelligence gathering operation, illustrates the collision of two problems: the lack of a sustainable and legitimate legal framework for covert operations in the age of technology and terror, and the terrain grasping that often defies common sense. Cyber is where the edge effects come from, so every agency, component and sub-unit fights to control some part of that edge. The CIA was suspicious about what Furlong was doing, and it asked the U.S. Strategic Command for an explanation. The program was terminated when it emerged that the money was being used to essentially run covert operations -- at least in the CIA's eyes.

Though a defense official told CNN that there is no daylight between the CIA and the DoD on the matter, that's incorrect. It's not clear whether Furlong was given permission to do what he did by his superiors, and it's not clear whether the U.S. Strategic Command, which has aggressively moved into the cyber terrain, understood that Furlong's operation was within the confines of their "information operations" mission. Whether Furlong should have been given the job in the first place is another question: he was supervised by Robert Butler, then the senior chief civilian at the Joint Information Operations Warfare Command, and now the Deputy Assistant Secretary of Defense of Space and Cyberspace. Furlong was hired by then Major General John C. Koziol, JIOWC's commander and now the Deputy Under Secretary of Defense (Intelligence) for Joint and Coalition Warfighter Support.

According to several officials, the Department is investigating whether the JIOWC, based at Lackland Air Force Base, diverted funds from another classified contract to Furlong's activities, which would raise the question of whether his actions were sanctioned. (The head of strategic information ops in Afghanistan said he opposed the program and did not know about Furlong's other activities. Both these incidents are anxiety provoking for just about everyone, uniformed or civilian, with a hand in the cyber war pool. It's difficult to make the argument that the U.S. military is well-suited to oversee cyber operations if the legal authorities are murky (the website example) and if senior officials can run covert ops without anyone noticing. Are information operations covered under the rubric of "traditional military activities?" The invocation of "TMA" is intended to cover actions that the military has traditionally done that could resemble CIA intelligence actions--sending in SEALs before a landing to gather information, psychological warfare and more. Who delineates? Who figures this out? Where does cyber fit in?